diff --git a/README.md b/README.md index a8b2f5c02f3..39ce41e2268 100644 --- a/README.md +++ b/README.md @@ -336,7 +336,7 @@ Stats: ### New profiles: onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, -cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, +cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 858a0c9f6c3..b52bcaa1117 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -1181,6 +1181,7 @@ blacklist ${HOME}/yt-dlp.conf.txt blacklist ${RUNUSER}/*firefox* blacklist ${RUNUSER}/akonadi blacklist ${RUNUSER}/psd/*firefox* +blacklist /etc/ssmtp blacklist /tmp/.wine-* blacklist /tmp/akonadi-* blacklist /var/games/nethack diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile new file mode 100644 index 00000000000..1a224e7b0f9 --- /dev/null +++ b/etc/profile-m-z/ssmtp.profile @@ -0,0 +1,75 @@ +# Firejail profile for ssmtp +# Description: Extremely simple MTA to get mail off the system to a mailhub +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ssmtp.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} +blacklist /usr/libexec + +noblacklist /etc/logcheck +noblacklist /etc/ssmtp +noblacklist /sbin +noblacklist /usr/sbin + +noblacklist ${DOCUMENTS} +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc +include disable-X11.inc + +mkfile ${HOME}/dead.letter +whitelist ${HOME}/dead.letter +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +#nogroups breaks app +noinput +nonewprivs +noprinters +#noroot breaks app +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +# private works but then we lose ${HOME}/dead.letter +# which is useful to get notified on mail issues +#private +private-bin mailq,newaliases,sendmail,ssmtp +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +restrict-namespaces +read-only ${HOME} +read-write ${HOME}/dead.letter